DESCRIPTION

Chacha is D J Berstein’s symmetric stream cipher, as modified by RFC7539. It supports
keys of 256 bits (128 bits is supported here for special purposes). It has an underlying block size of 64 bytes
(named as constant
ChachaBsize).

SetupChachastate
takes a reference to a
Chachastate
structure, a
key
of
keylen
bytes, which should normally be
ChachaKeylen,
a
iv
or nonce of
ivlen
bytes (can be
ChachaIVlen=12,8
or
XChachaIVlen=24;
set to all zeros if the
iv
argument is nil),
and the number of
rounds
(set to the default of 20 if the argument is zero).
With a key length of 256 bits (32 bytes), a nonce of 96 bits (12 bytes)
and 20
rounds,
the function implements the Chacha20 encryption function of RFC7539.

Chacha_encrypt
encrypts
len
bytes of
buf
in place using the
Chachastate
in
s.Len
can be any byte length.
Encryption and decryption are the same operation given the same starting state
s.

Chacha_encrypt2
is similar, but encrypts
len
bytes of
src
into
dst
without modifying
src.

Chacha_setblock
sets the Chacha block counter for the next encryption to
blockno,
allowing seeking in an encrypted stream.

Chacha_setiv
sets the the initialization vector (nonce) to
iv.

Hchacha
is a key expansion function that takes a 128 or 256-bit key
and a 128-bit nonce and produces a new 256-bit key.

Ccpoly_encrypt
and
ccpoly_decrypt
implement authenticated encryption with associated data (AEAD)
using Chacha cipher and Poly1305 message authentication code
as specified in RFC7539.
These routines require a
Chachastate
that has been setup with a new (per key unique) initialization
vector (nonce) on each invocation. The referenced data
dat[ndat]
is in-place encrypted or decrypted.
Ccpoly_encrypt
produces a 16 byte authentication
tag,
while
ccpoly_decrypt
verifies the
tag,
returning zero on success or negative on a mismatch.
The
aad[naad]
arguments refer to the additional authenticated data
that is included in the
tag
calculation, but not encrypted.